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Continued Examination Under 37 CFR LI 14 

1. A request for continued examination under 37 CFR 1.1 14, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on October 02, 2006 has been entered. 

Response to Amendment 

2. The amendment filed on October 02, 2006 has been fully considered but are not 
persuasive. 

• Claims 1-2,4-17, 19-27,29-35,38-41,43-50,52-58 and 60-61 are presented for 
examination. 

Response to Amendment 

In response to Applicant's arguments in pages 116-17 where the applicant quotes the 
office action as supporting unconstrained delegation (page 16, first paragraph). Examiner 
contends that office action and the art of rejection must be looked in its entirety. The 
reference states both the problems and the solutions of unconstrained delegation 
(abstract). Applicant argues that "fox's Charon system considers and tolerates a problem 
what was both recognized and discussed in the specification of the present application." 
Page 16. Examiner notes, because fox's Charon system tolerates the problems discussed 
does not necessarily mean that the reference does not teach the claimed limitation. Fox's 
teaches (the Charon client-side never reveals the user's Kerberos key to anyone... Charon 
module cannot obtain service on behalf of the client without the client's explicit cooperation 
(page 157 end of section 2.1 and section 2.2 number 6-7. Note forwarded message contains 
the (encrypted) TGT. See 4.5 steps 1-3 Charon may be trusted with temporary session keys 
for particular services it contacts on the client's behalf, but not with the user's Kerberos 
password or with sufficient information to impersonate the user...). 
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Claim Rejections - 35 USC §102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 
for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless — 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use 
or on sale in this country, more than one year prior to the date of application for patent in the United States. 

Claims 1-2, 4-17, 19-27, 29-35, 38-41, 43-46, 48-50, 52-55, 57-58, and 60-61 are rejected 
under 35 U.S.C. 102(b) as being anticipated by Fox et al. ("Security on the Move: Indirect 
Authentication Using Kerb eros", 1996, hereinafter "Fox"). Fox discloses indirect authentication 
using Kerberos. Fox shows, 

In referring to claims 1,4-5, 12, 16, 19-20,26,29-31,33,35 

• identifying a target service to which access is sought on behalf of a client; and causing a server 
operatively coupled to the client to request access to the target service on behalf of the client, 
from a trusted third party: "Charon interaction consists of two distinct phases: the 
handshake phase, in which the client authenticates itself to the proxy via Kerberos and 
establishes a secure channel with it, and the service access phase, in which the proxy 
accesses Kerberized services on the client's behalf. The Charon protocol module on the 
proxy and the Charon client side software are responsible for the flow of control during 
both phases." (Fox, page 157, paragraphs 2 and 3) the server provides the trusted third 
party with credentials authenticating the server, information about the target service, and a 
service credential previously provided by the client to the server; 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT } which will then be managed by the proxy. From the point of view of the KDC 
and TGS, the proxy appears to be a normal Kerberos client during this phase. " (Fox, page 
157, paragraph 3) 

causing the trusted third party to provide the server with a new service credential granted in 
the name of the client rather than in the name of the server such that the new service 
credential authorized the server to access the target service on behalf of the client while 
withholding a client's authentication credentials from the server (see section 2.3 where 
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Charon does not have user's Kerberos password), wherein the new service credential granted 
in the name of the client is constrained to scope specified by the service credential previously 
provided by the client to the server (the Charon client-side never reveals the user's Kerberos 
key to anyone.. Charon module cannot obtain service on behalf of the client without the 
client's explicit cooperation (page 157 end of section 2.1 and section 2.2 number 6-7. Note 
forwarded message contains the (encrypted) TGT. See 4.5 steps 1-3 Charon may be trusted 
with temporary session keys for particular services it contacts on the client's behalf, but not 
with the user's Kerberos password or with sufficient information to impersonate the user...). 

In referring to claim 2, 17, 27, 32, 

• The trusted third-party includes at least one service selected from a group of services 
comprising a key distribution center (KDC) service, A certificate granting authority service, 
and A domain controller service: 

Fox Fig.l shows the trusted third party includes a KDC. 
In referring to claim 6, 8, and 21, 

• Causing the trusted third-party to verify that the client has authorized delegation: 
Verifying authorized delegation is inherently implied in a system that uses Kerberos 

In referring to claims 7 and 22, 

• The trusted third-party includes a key distribution center (KDC): 
Fox Fig. 1 shows the trusted third party includes a KDC 

Causing the trusted third-party to verify that the client has authorized delegation includes 
verifying the status of a restriction placed on the ticket originating from the client: 
Verifying authorized delegation is inherently implied in a system that uses Kerberos 
In referring to claim 9, 23, and 34, 

• The server is a front-end server with respect to a back-end server that is coupled to the front- 
end server: 

The proxy is a front-end server with respect to the client 
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• The back-end server is configured to provide the target service to which access is sought. 
The target service is a back -end server with respect to the client 

In referring to claims 10 and 24, 

• The trusted third-party includes a key distribution center (KDC): 
Fox Fig. 1 shows the trusted third party includes a KDC 

• The KDC provides a ticket-granting-ticket associated with the client to the client; and the 
client does not provide the ticket granting ticket to the server: 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy. " (Fox, page 1 57, paragraphe 3) 

In referring to claims 1 1 and 25, 

• The trusted third-party includes a key distribution center (KDC): 
Fox Fig. 1 shows the trusted third party includes a KDC 

• The server requests the new credential in a ticket granting service request message that 
includes a service ticket provided by the client to the server: 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy. " (Fox, page 1 57, paragraphe 3) 

In referring to claims 13, 14, and 15, 

The implementation-specific identity information includes information selected from a group 
comprising privilege attribute certificate (PAC) information, security identifier information, 
Unix identifier information, Passport identifier information, certificate information: The 
system of Fox contains security identifier information 

In referring to claim 38, 

• separately authenticating a server and a client; providing the client with a client ticket 

granting ticket and a service ticket for use with the server: 

"the client authenticates itself to the proxy via Kerberos and establishes a secure channel with 
it, and the service access phase" (Fox, page 157, paragraph 2) 
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• providing the server with a server ticket granting ticket; providing the server with a new 
service ticket for use by the server for use with a new service without requiring the server to 
have access to the client ticket granting ticket: 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy. From the point of view of the KDC 
and TGS, the proxy appears to be a normal Kerberos client during this phase. " (Fox, page 
157, paragraphe 3) 

In referring to claim 39, 

• Causing the server to request the new service ticket on behalf of the client by forwarding the 
server ticket granting ticket, information identifying the new service, and the service ticket to a 
trusted third party: 

During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent 
router to obtain a TGT, which will then be managed by the proxy. From the point of 
view of the KDC and TGS f the proxy appears to be a normal Kerberos client during this 
phase. " (Fox, page 157, paragraphe 3) 

In referring to claims 40, 48, 49, 57, and 58, 

• Identifying a target service to which access is sought on behalf of a client that has been 

authenticated using a first authentication method; 

"the client authenticates itself to the proxy via Kerberos and establishes a secure channel with 
it, and the service access phase" (Fox, page 157, paragraph 2) 

• Causing a server that is operatively coupled to the target service and the client to request a 
service credential to itself from a second authentication method trusted third-party by 
identifying the client and the first authentication protocol: 

• The server communicates with the client via the first authentication protocol which inherently 
implies identifying the client and the first authentication protocol 

• Causing the server to request a new service credential, for use by the server and the target 
service, from the second authentication method trusted third-party, wherein the server provides 
the trusted third-party with a credential authenticating the server, information about the target 
service, and the service credential to itself. 

"Charon interaction consists of two distinct phases: the handshake phase, in which the client 
authenticates itself to the proxy via Kerberos and establishes a. secure channel with it, and the 
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service access phase, in which the proxy accesses Kerberized services on the client's behalf 
The Charon protocol module on the proxy and the Charon client-side software are 
responsible for the flow of control during both phases. " (Fox, page 157, paragraphe 2) 

In referring to claims 41 and 50, 

• The second authentication method trusted third-party includes at least one service 
selected from a group of services comprising a key distribution center (KDC) service, a 
certificate granting authority service, and a domain controller service: Fox Fig.l shows 
the trusted third party includes a KDC 

In referring to claims 43, 52, and 60, 

• The service credential is configured for use by the server and the target service to which 
access is sought. 

"From the point of view of the KDC and TGS, the proxy appears to be a normal Kerberos 
client during this phase. " (Fox, page 1 57, paragraphe 3) 
In referring to claims 44, 53, and 61, 

• The credential authenticating the server includes a ticket granting ticket associated with 
the server. 

"From the point of view of the KDC and TGS, the proxy appears to be a normal Kerberos 
client during this phase. " (Fox, page 1 57, paragraphe 3) 

In referring to claims 45 and 54, 

• Upon receiving a request for the new service credential from the server, causing the second 
authentication method trusted third-party to verify that the client has authorized delegation: 
Verifying authorized delegation is inherently implied in a system that uses Kerberos 

In referring to claims 46 and 55, 

• The server is a front-end server with respect to a back-end server that is coupled to the 
front-end server; The proxy is a front-end server with respect to the client 
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• The back-end server is configured to provide the target service. The target service is a back 
-end server with respect to the client 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

Claims 47 and 56 are rejected under 35 U.S.C. 103(a) as being unpatentable over Fox in view 
of Freier et al. ("The SSL Protocol Version 3.0", 18 Nov 1996, hereinafter "Freier"). Although 
Fox shows substantial features of the claimed invention, Fox does not show using SSL as the 
first authentication method. Nonetheless this feature is well known in the art and would have 
been an obvious modification to the system disclosed by Fox as evidenced by Freier. 

In analogous art, Freier discloses SSL version 3.0. Freier shows SSL can be used to provide 
communication privacy over the Internet (abstract). 

Given these teachings, a person of ordinary skill in the art would have readily recognized the 
desirability and advantages of modifying the system of Fox so as to use SSL, such as taught 
by Freier, in order to provide security for applications that don't support Kerberos 
authentication (For example, Outlook and Netscape email clients). 

Conclusion 

The prior made of record and not relied upon is considered pertinent to applicant's disclosure. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Yasin Barqadle whose telephone number is 571-272-3947. The 
examiner can normally be reached on 9:00 AM to 5:30 PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glenn Burgess can be reached on 571-272-3949. The fax phone numbers for the 
organization where this application or proceeding is assigned are 703-872-9306 for regular 
communications and 703-746-7238 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 

Information regarding the status of an application may be obtained form the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either private PAIR or public PAIR system. Status information for 
unpublished applications is available through private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
YB 
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